[wp-trac] [WordPress Trac] #53962: The bug allows to see the name(s) of a user(s) who has replied to a comment (not yet authorized).

WordPress Trac noreply at wordpress.org
Tue Feb 21 01:43:47 UTC 2023 

#53962: The bug allows to see the name(s) of a user(s) who has replied to a comment
(not yet authorized).
-------------------------------------+-------------------------------------
 Reporter:  fasuto                   |       Owner:  hellofromTonya
     Type:  defect (bug)             |      Status:  closed
 Priority:  normal                   |   Milestone:  6.2
Component:  Comments                 |     Version:  2.7
 Severity:  normal                   |  Resolution:  fixed
 Keywords:  has-patch has-unit-      |     Focuses:  administration,
  tests has-testing-info add-to-     |  privacy
  field-guide commit                 |
-------------------------------------+-------------------------------------
Changes (by peterwilsoncc):

 * status:  accepted => closed
 * resolution:   => fixed


Comment:

 In [changeset:"55369" 55369]:
 {{{
 #!CommitTicketReference repository="" revision="55369"
 Comments: Prevent replying to unapproved comments.

 Introduces client and server side validation to ensure the `replytocom`
 query string parameter can not be exploited to reply to an unapproved
 comment or display the name of an unapproved commenter.

 This only affects commenting via the front end of the site. Comment
 replies via the dashboard continue their current behaviour of logging the
 reply and approving the parent comment.

 Introduces the `$post` parameter, defaulting to the current global post,
 to `get_cancel_comment_reply_link()` and `comment_form_title()`.

 Introduces `_get_comment_reply_id()` for determining the comment reply ID
 based on the `replytocom` query string parameter.

 Renames the parameter `$post_id` to `$post` in `get_comment_id_fields()`
 and `comment_id_fields()` to accept either a post ID or `WP_Post` object.

 Adds a new `WP_Error` return state to `wp_handle_comment_submission()` to
 prevent replies to unapproved comments. The error code is
 `comment_reply_to_unapproved_comment` with the message `Sorry, replies to
 unapproved comments are not allowed.`.

 Props costdev, jrf, hellofromtonya, fasuto, boniu91, milana_cap.
 Fixes #53962.
 }}}

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/53962#comment:30>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list